This week, researchers presented at Black Hat Europe in London information regarding an extremely dangerous new “fileless” attack vector that affects all Windows operating systems. The researchers observed that the attack bypasses many widely used endpoint security tools. AppGuard customers need NOT make any policy adjustments to mitigate risks from such attacks. AppGuard already blocks them.

Details of the new code injection attack can found in the researchers’ Black Hat presentation available online. In short, exploitation of the discovered Windows design flaw involving commonly available Windows system calls (API), enables attackers to inject code into Windows system files or other trusted applications, transforming them into weaponized instruments working for the attackers. Worse, because of the way Windows operates, antivirus, Endpoint Detection and Response (EDR), and other tools are unable to detect and stop these code injections. Sophisticated attackers can further take advantage of this blind spot by leaving little to no indicators of compromise behind, making compromise discovery even more difficult. These new code injection attacks can succeed without leaving a trace.

In-memory tactics became increasingly prevalent in the wild after application whitelisting cyber controls became widely adopted by the enterprise. This is because whitelisting only prevents unknown executables from launching. Such tools do NOT contain what trusted applications do after they launch. In the Doppleganging code injection attack, the malicious code is inserted into the application during the program load stage.

Based on the revealed tests using the new code injection attack, none of the well-known antivirus products, including much hyped Machine Learning/Artificial Intelligence antivirus products, were able to detect and stop the attack. The products are listed in the Black Hat presentation.

When the Doppleganging code injection attack is used in the wild, it will typically be launched in the form of phishing, drive by download, or via weaponized document. AppGuard will defeat such attacks in the earliest Doppleganging stages, preventing the adversaries from transforming other processes on the endpoint into unbounded malicious instruments.

The Doppleganging attack potential helps illustrate the downside to reliance on a ‘detect and react’ posture. It requires the enterprise to employ an army of highly skilled analysts to sift through mountains of alerts from many different sources. Check out our recent blog post on cyber alerts fatigue. Despite the army of analysts, the array of tools and services, and the workflow overhead, the time to detect data breaches is usually measured in months. Ponemon reported a median of just over 6 months. How long can the enterprise sustain these costs and labor challenges that grow year after year? The enterprise cannot afford to accept endpoint compromises as an unavoidable new normal. It needs to keep fighting the good fight, preventing compromises at the endpoint. Much of the enterprise cyber program costs depends on what happens at the endpoint.

Developer

Copy-Paste is more efficient. I am not trying to make a fashion statement or any kind of statement, but you know there are those that will accuse me of doing something rotten. Here on the forums a simple copy-paste will get you falsely accused.

Can I timidly say something? Speaking of fashion, those are the addresses of your offices? The New York one is right by the Fashion Institute of Technology in midtown Manhattan--I must have walked by that building a hundred times. This is some of the most sought-after unreal estate in the world, believe it!

About Us

Our community has been around since 2010, and we pride ourselves on offering unbiased, critical discussion among people of all different backgrounds about security and technology . We are working every day to make sure our community is one of the best.

Helpful Links

Need Malware Removal Help?

If you're being redirected from a site you’re trying to visit, seeing constant pop-up ads, unwanted toolbars or strange search results, your computer may be infected with malware.
We offer free malware removal assistance to our members in the Malware Removal Assistance forum.

Quick Tip

Without meaning to, you may click a link that installs malware on your computer. To keep your computer safe, only click links and downloads from sites that you trust. Don’t open any unknown file types, or download programs from pop-ups that appear in your browser.